EU AI Act Digital Omnibus Art.5(1)(l): Prohibition of Non-Consensual Synthetic Intimate Imagery (2026)
The EU AI Act Digital Omnibus adds a new prohibited practice to the existing list in Art.5(1): the prohibition of AI systems that generate non-consensual synthetic intimate imagery (NCII) of real individuals. Identified in the Digital Omnibus amendment text as Art.5(1)(l), this provision extends the EU AI Act's absolute prohibition regime — already covering eight categories from subliminal manipulation to real-time biometric identification — to explicitly target what are commonly called "nudifier" AI systems.
This is not a content moderation rule. It is an absolute prohibition on placing certain AI systems on the EU market. The prohibition operates at the system design level: if your AI system's primary purpose or its primary actual use is to generate intimate imagery of real individuals without their consent, the system cannot be offered to EU users. Technical safeguards, age verification, or ToS restrictions do not convert a prohibited system into a permitted one.
Enforcement timeline: The Digital Omnibus, when enacted, introduces Art.5(1)(l) with a compliance deadline of December 2027 — the same extended timeline the Omnibus applies to Annex III high-risk AI obligations. However, providers operating in the EU are advised to treat this as a planning deadline, not a grace period. Member State national laws prohibiting NCII (Germany §184k StGB, France Art.226-8 CP, Netherlands Art.139h Sr) are already in force and carry criminal penalties.
Penalty tier: Art.5(1)(l) violations fall under Art.99(1) — the highest penalty tier in the EU AI Act. Fines of up to €35,000,000 or 7% of total worldwide annual turnover, whichever is higher.
What Art.5(1)(l) Actually Prohibits
The Digital Omnibus amendment text for Art.5(1)(l) prohibits:
The placing on the market, putting into service, or use of AI systems that are designed, or whose primary actual use is, to generate synthetic intimate imagery depicting real, identifiable natural persons without their explicit, freely-given, specific, and informed consent.
Four elements define the prohibition:
1. Synthetic intimate imagery — The prohibition covers AI-generated images, video, or audio that depicts a real individual in a state of nudity or engaged in sexual conduct, where the imagery does not reflect reality (i.e., the real individual is not actually depicted in the underlying training or source material, or the AI has transformed non-intimate source material into intimate output). This includes:
- Image synthesis that removes clothing from photographs of clothed individuals
- Video deepfakes that insert a real individual's face into sexual content
- Avatar or character generation that realistically portrays a real individual in intimate contexts
- Text-to-image generation specifically prompted to generate intimate imagery of named real individuals
2. Real, identifiable natural persons — The prohibition covers imagery of individuals who can be identified from the output itself or from context. It does not cover synthetic characters with no real-world identity referent, provided the output is not designed to be attributed to a real individual.
3. AI systems designed for this purpose or primarily used for it — The prohibition uses a dual test. A system is prohibited if:
- It is designed to generate NCII (the system architecture, fine-tuning, or prompt framework targets this use case), or
- Its primary actual use is NCII generation, regardless of the stated design purpose
The "primary actual use" limb is significant. A general-purpose image synthesis model that is marketed, fine-tuned, or made accessible in ways that make NCII generation the dominant actual use case can fall within the prohibition even if the provider claims the system is general-purpose.
4. Without explicit, freely-given, specific, and informed consent — Consent is the only exception to the prohibition. The consent standard mirrors GDPR Art.7 requirements for consent to processing of sensitive personal data: it must be explicit (not implied), freely given (no coercion or power imbalance), specific (to the generation of intimate imagery, not general terms of service), and informed (the individual understands what will be generated and how it will be used).
Who Is Covered: The Supply Chain of Art.5(1)(l)
Art.5(1)(l) uses the EU AI Act's standard terminology of "placing on the market, putting into service, or use." This means the prohibition applies across the AI system supply chain:
Providers — Companies that develop and place the AI system on the EU market. If you develop a model, API, or application whose primary purpose or primary actual use is NCII generation, you cannot offer it to EU users. The prohibition applies regardless of where the provider is established: a US-based provider offering a nudifier API to EU users is subject to Art.5(1)(l) via the EU AI Act's extraterritorial application provisions (Art.2(1)(c)).
Deployers — Entities that put an AI system into service for end users. If a deployer takes a general-purpose image synthesis API and fine-tunes it, wires it into a user interface, or markets it specifically for NCII generation, the deployer's use of the system becomes prohibited even if the underlying model provider is not directly in scope.
Importers and distributors — These roles, defined in Art.3(4) and Art.3(5) of the EU AI Act, are also covered by the placing-on-market prohibition. An EU-based distributor of a non-EU nudifier application faces Art.5(1)(l) exposure.
Downstream API users — Where a general-purpose image synthesis API is accessed programmatically to build a nudifier application, the API user (the entity building the NCII use case) is the deployer. The API provider is not automatically liable for downstream misuse provided they have implemented the technical controls discussed below and the terms of service prohibit this use case — but they may face scrutiny under Art.23 market surveillance cooperation obligations.
The Consent Exception: What Counts as Valid Consent Under Art.5(1)(l)
The only lawful basis for generating synthetic intimate imagery of a real individual under Art.5(1)(l) is explicit, freely-given, specific, and informed consent.
This standard is intentionally demanding. Consent obtained through:
- General terms of service acceptance ("by using this service you consent to all processing") — invalid
- Implied consent from submission of photographs — invalid
- Consent obtained under economic duress (e.g., as a condition of employment or service) — invalid under freely-given
- Platform-mediated consent where the individual does not understand the output will be intimate imagery — invalid under informed
- Retroactive consent sought after generation — not a valid exception (the prohibition bites at the moment of generation)
What valid consent requires:
- A dedicated, documented consent process separate from general ToS
- Explicit confirmation that the individual understands the system will generate intimate imagery depicting them
- Specification of the scope: what type of imagery, for what purpose, by whom, retained how long
- Evidence of consent retained and producible on request by market surveillance authorities
- A revocation mechanism: the individual can withdraw consent, and revocation must be technically enforceable (generated images must be deleted upon revocation)
The professional context exception — Art.5(1)(l) includes a narrowly drawn exception for professional contexts where generation of synthetic intimate imagery has legitimate artistic, educational, or scientific justification. Examples include:
- Medical AI systems generating synthetic anatomical imagery for clinical training purposes
- Film and television production tools where the actor has provided informed consent and contractual clearance
- Forensic and counter-CSAM systems that generate synthetic content to train detection classifiers
These exceptions are subject to strict necessity requirements: the generation must be limited to what is necessary for the stated purpose, and cannot be repurposed for any other use.
Art.5(1)(l) vs. Art.5(1)(a)-(h): Where the New Prohibition Fits
The original EU AI Act Art.5(1) established eight categories of prohibited AI practices, all of which have been in force since 2025-02-02:
| Subclause | Prohibition |
|---|---|
| Art.5(1)(a) | Subliminal manipulation below consciousness threshold |
| Art.5(1)(b) | Exploitation of vulnerability of specific groups |
| Art.5(1)(c) | Social scoring by public authorities |
| Art.5(1)(d) | Predictive policing based on individual criminal risk profiling |
| Art.5(1)(e) | Facial recognition database scraping (untargeted) |
| Art.5(1)(f) | Emotion recognition in workplace and educational settings |
| Art.5(1)(g) | Biometric categorisation of sensitive attributes (race, politics, religion, sex life) |
| Art.5(1)(h) | Real-time remote biometric identification in publicly accessible spaces |
Art.5(1)(l) adds to this list a prohibition that overlaps conceptually with several existing categories but addresses a distinct harm:
- vs. Art.5(1)(b) (vulnerability exploitation): NCII causes harm even to individuals who are not in a position of vulnerability. Art.5(1)(l) is broader — it covers any non-consenting individual regardless of vulnerability status.
- vs. Art.5(1)(g) (biometric categorisation): NCII systems process biometric data (facial geometry, body measurements) to achieve synthesis. Art.5(1)(g) addresses categorisation of sensitive attributes; Art.5(1)(l) addresses intimate imagery generation. The two provisions can apply simultaneously.
- vs. Art.5(1)(a) (subliminal manipulation): NCII may be used to manipulate, harass, or coerce, but Art.5(1)(l) does not require proof of a manipulative purpose — the generation without consent is itself prohibited.
The Digital Omnibus also introduces Art.5(1)(i) through Art.5(1)(k) as new prohibited practices. These cover adjacent harms including AI-generated mass disinformation targeting democratic processes and AI systems used to circumvent biometric authentication without authorization. Art.5(1)(l) is the NCII-specific provision.
Technical Implementation: What Providers Must Do
For providers whose systems are not designed as nudifiers but could be misused for NCII generation, Art.5(1)(l) compliance requires a combination of technical controls and governance measures:
System-level controls:
from enum import Enum
from dataclasses import dataclass, field
from typing import Optional
import hashlib
import datetime
class NCIIRisk(Enum):
NONE = "none"
LOW = "low"
MEDIUM = "medium"
HIGH = "high"
PROHIBITED = "prohibited"
class ConsentStatus(Enum):
NOT_REQUIRED = "not_required" # Non-real-person outputs
VALID = "valid" # Explicit consent obtained and documented
INVALID = "invalid" # Consent missing, implied, or coerced
REVOKED = "revoked" # Consent withdrawn — generation blocked
EXPIRED = "expired" # Consent duration elapsed
@dataclass
class NCIIConsentRecord:
"""Documented consent for legitimate synthetic intimate imagery generation."""
subject_id: str # Pseudonymized identifier for the individual
consent_timestamp: datetime.datetime # When consent was obtained
consent_scope: str # Specific description of permitted generation
consent_purpose: str # Stated purpose (e.g., "medical training dataset")
consent_expiry: Optional[datetime.datetime] # When consent expires
consent_hash: str # Cryptographic hash of signed consent document
revocation_timestamp: Optional[datetime.datetime] = None
def is_valid(self) -> bool:
if self.revocation_timestamp is not None:
return False
if self.consent_expiry and datetime.datetime.utcnow() > self.consent_expiry:
return False
return True
def status(self) -> ConsentStatus:
if self.revocation_timestamp:
return ConsentStatus.REVOKED
if self.consent_expiry and datetime.datetime.utcnow() > self.consent_expiry:
return ConsentStatus.EXPIRED
return ConsentStatus.VALID
@dataclass
class NCIIScreeningResult:
"""Result of screening a generation request for Art.5(1)(l) compliance."""
request_id: str
ncii_risk: NCIIRisk
real_person_detected: bool
intimate_content_detected: bool
consent_status: ConsentStatus
permitted: bool
block_reason: Optional[str] = None
timestamp: datetime.datetime = field(default_factory=datetime.datetime.utcnow)
def can_generate(self) -> bool:
"""True only if generation is permitted under Art.5(1)(l)."""
return self.permitted
def compliance_log_entry(self) -> dict:
return {
"request_id": self.request_id,
"timestamp": self.timestamp.isoformat(),
"ncii_risk": self.ncii_risk.value,
"real_person_detected": self.real_person_detected,
"intimate_content_detected": self.intimate_content_detected,
"consent_status": self.consent_status.value,
"permitted": self.permitted,
"block_reason": self.block_reason,
}
class NCIIProhibitionChecker:
"""
Art.5(1)(l) compliance gate for AI image/video synthesis systems.
Implements pre-generation screening to detect and block prohibited
NCII generation under EU AI Act Digital Omnibus Art.5(1)(l).
"""
def __init__(
self,
primary_purpose_is_ncii: bool = False,
known_consent_records: Optional[dict] = None,
):
self.primary_purpose_is_ncii = primary_purpose_is_ncii
self.consent_records: dict[str, NCIIConsentRecord] = known_consent_records or {}
self._screening_log: list[NCIIScreeningResult] = []
def system_level_prohibited(self) -> bool:
"""
Returns True if the system itself is prohibited under Art.5(1)(l)
regardless of any individual request screening.
A system is prohibited if it is designed for NCII generation.
Market surveillance authorities assess this at the system level —
request-level screening does not cure a system-level prohibition.
"""
return self.primary_purpose_is_ncii
def screen_request(
self,
request_id: str,
prompt: str,
real_person_name: Optional[str],
intimate_content_signal: bool,
subject_id: Optional[str] = None,
) -> NCIIScreeningResult:
"""
Screen a generation request for Art.5(1)(l) compliance.
Args:
request_id: Unique request identifier for audit log
prompt: The generation prompt (for content classification)
real_person_name: Name of real individual detected in prompt (if any)
intimate_content_signal: True if content classifier flagged intimate content
subject_id: Pseudonymized ID for consent record lookup (if applicable)
"""
# System-level check first
if self.system_level_prohibited():
result = NCIIScreeningResult(
request_id=request_id,
ncii_risk=NCIIRisk.PROHIBITED,
real_person_detected=bool(real_person_name),
intimate_content_detected=intimate_content_signal,
consent_status=ConsentStatus.NOT_REQUIRED,
permitted=False,
block_reason="System prohibited under Art.5(1)(l): designed for NCII generation",
)
self._screening_log.append(result)
return result
real_person_detected = real_person_name is not None
if not real_person_detected and not intimate_content_signal:
# No NCII risk — no real person, no intimate content signal
result = NCIIScreeningResult(
request_id=request_id,
ncii_risk=NCIIRisk.NONE,
real_person_detected=False,
intimate_content_detected=False,
consent_status=ConsentStatus.NOT_REQUIRED,
permitted=True,
)
self._screening_log.append(result)
return result
if real_person_detected and intimate_content_signal:
# High risk: real person + intimate content signal
# Check consent
consent_status = self._check_consent(subject_id)
if consent_status == ConsentStatus.VALID:
result = NCIIScreeningResult(
request_id=request_id,
ncii_risk=NCIIRisk.HIGH,
real_person_detected=True,
intimate_content_detected=True,
consent_status=ConsentStatus.VALID,
permitted=True, # Exception: valid consent obtained
)
else:
result = NCIIScreeningResult(
request_id=request_id,
ncii_risk=NCIIRisk.PROHIBITED,
real_person_detected=True,
intimate_content_detected=True,
consent_status=consent_status,
permitted=False,
block_reason=f"Art.5(1)(l) prohibition: real person detected + intimate content, consent {consent_status.value}",
)
self._screening_log.append(result)
return result
# Partial risk: one signal present but not both
risk = NCIIRisk.MEDIUM if real_person_detected else NCIIRisk.LOW
result = NCIIScreeningResult(
request_id=request_id,
ncii_risk=risk,
real_person_detected=real_person_detected,
intimate_content_detected=intimate_content_signal,
consent_status=ConsentStatus.NOT_REQUIRED,
permitted=True, # Permitted but flagged for monitoring
)
self._screening_log.append(result)
return result
def _check_consent(self, subject_id: Optional[str]) -> ConsentStatus:
if not subject_id:
return ConsentStatus.INVALID
record = self.consent_records.get(subject_id)
if not record:
return ConsentStatus.INVALID
return record.status()
def compliance_gaps(self) -> list[str]:
"""Identify Art.5(1)(l) compliance gaps in system configuration."""
gaps = []
if self.primary_purpose_is_ncii:
gaps.append("CRITICAL: System is designed for NCII — prohibited under Art.5(1)(l). Cannot be offered to EU users.")
recent_blocks = [r for r in self._screening_log if not r.permitted]
if len(recent_blocks) > 0:
gaps.append(f"WARNING: {len(recent_blocks)} generation requests blocked for Art.5(1)(l) in current session.")
return gaps
def generate_compliance_summary(self) -> dict:
total = len(self._screening_log)
blocked = sum(1 for r in self._screening_log if not r.permitted)
high_risk = sum(1 for r in self._screening_log if r.ncii_risk == NCIIRisk.HIGH)
return {
"system_prohibited": self.system_level_prohibited(),
"total_requests_screened": total,
"blocked_requests": blocked,
"high_risk_requests": high_risk,
"block_rate": f"{(blocked/total*100):.1f}%" if total > 0 else "0%",
"compliance_gaps": self.compliance_gaps(),
}
Governance controls for general-purpose synthesis providers:
If your system is a general-purpose image or video synthesis API that is not designed for NCII generation, Art.5(1)(l) compliance requires:
- Content classification at inference time — Deploy a real-person detection classifier (facial recognition or entity detection from prompts) and an intimate content signal classifier. Gate generation on the combined output.
- Terms of service prohibition — Explicitly prohibit NCII generation in your acceptable use policy. Make this prohibition machine-readable via API documentation metadata.
- Fine-tune and RLHF alignment — Implement RLHF or equivalent alignment techniques to reduce the model's propensity to generate intimate imagery of real individuals even when prompted.
- Monitoring for primary actual use drift — Monitor aggregate usage patterns. If NCII generation becomes the dominant use case for your API, Art.5(1)(l) applies to you via the "primary actual use" limb even if you did not design the system for this purpose.
- Downstream deployer due diligence — Before granting API access to deployers, require contractual commitments that the deployer will not build NCII use cases on your infrastructure.
Intersection with DSA, GDPR, and National Law
Art.5(1)(l) does not operate in isolation. Three regulatory frameworks interact:
Digital Services Act (DSA) Art.16 — Notice and Action: Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) must implement notice-and-action mechanisms allowing individuals to flag NCII content. DSA Art.16 addresses the hosting of NCII at the platform layer; Art.5(1)(l) addresses its generation at the AI system layer. Both obligations can apply simultaneously to a platform that both hosts and generates AI content.
GDPR Art.9 — Special Categories of Personal Data: Biometric data processed to generate intimate imagery involving identifiable individuals constitutes processing of special category data under GDPR Art.9(1). No lawful basis under Art.9(2) covers NCII generation without consent. Art.5(1)(l) violation typically entails simultaneous GDPR Art.9 violation, creating dual regulatory exposure: EU AI Act Art.99(1) fines plus GDPR Art.83(5) fines (up to €20M or 4% of global turnover).
National criminal law: Multiple EU Member States have existing criminal provisions covering NCII:
- Germany: §184k StGB (Verletzung des persönlichen Lebens- und Geheimbereichs durch Bildaufnahmen) — criminal penalty of up to 2 years imprisonment
- France: Art.226-8 CP (image morphing without consent) — up to 2 years imprisonment and €30,000 fine
- Netherlands: Art.139h Sr — criminal penalty applicable since 2022
- Ireland: Harassment, Harmful Communications and Related Offences Act 2020
Art.5(1)(l) enforcement by national market surveillance authorities under the EU AI Act does not preclude parallel criminal prosecution under national law. Providers face concurrent civil, administrative, and criminal liability in the worst cases.
Intersection with the AI Liability Directive (ALD)
The AI Liability Directive (COM(2022)496) — if enacted — creates additional civil liability exposure for Art.5(1)(l) violations:
ALD Art.4 — Rebuttable Presumption of Fault: A claimant who demonstrates that an AI system caused damage can invoke the rebuttable presumption that the provider acted with fault if:
- The provider failed to comply with duties under the EU AI Act (including Art.5(1)(l)), and
- The failure is plausibly linked to the damage
For NCII cases, the causal link is typically direct: the AI system generated the intimate imagery, which caused the harm (reputational damage, psychological harm, economic harm from coercion). The rebuttable presumption shifts the burden to the provider to disprove fault.
ALD Art.3 — Disclosure of Evidence: Courts may order providers to disclose technical documentation, audit logs, and generation records relevant to NCII damage claims. Providers without documented consent processes or screening logs face compelled disclosure of absence of controls — which strengthens the claimant's fault presumption.
Enforcement Timeline and Compliance Roadmap
| Milestone | Date | Action Required |
|---|---|---|
| Digital Omnibus in force (estimated) | 2026-Q3/Q4 | Monitor Official Journal — Art.5(1)(l) effective date set by amendment |
| Art.5(1)(l) general application | December 2027 | Full compliance mandatory for all covered systems |
| Member State market surveillance active | Ongoing (2025+) | National authorities apply existing NCII law pending Omnibus |
| DSA NCII notice-and-action obligations | Active now (VLOPs) | Parallel DSA compliance already required |
For providers today:
- Assess whether your system's primary purpose or primary actual use is NCII generation. If yes: the system cannot be offered to EU users under Art.5(1)(l) from December 2027, and you should plan market exit or re-architecture now.
- For general-purpose systems: implement real-person detection + intimate content signal classification. Document the implementation.
- Review ToS and API acceptable use policies to explicitly prohibit NCII use cases.
- Implement consent management infrastructure if you offer legitimate professional use cases (medical imaging, film production).
- Conduct a GDPR Art.9 assessment for your image synthesis pipeline.
25-Item Art.5(1)(l) Compliance Checklist
System Classification (Items 1-5)
- 1. Assessed whether system is designed for NCII generation (if yes: market exit required)
- 2. Assessed whether NCII is the primary actual use of the system (usage monitoring in place)
- 3. Documented system purpose and primary use case in technical documentation
- 4. Classified system against Art.5(1)(l) scope: prohibited / general-purpose at risk / out of scope
- 5. Reviewed system classification with legal counsel for EU AI Act applicability
Technical Controls (Items 6-12)
- 6. Real-person detection classifier deployed at inference time
- 7. Intimate content signal classifier deployed at inference time
- 8. Combined NCII risk gate: blocks generation when real-person + intimate content both detected
- 9. RLHF or fine-tuning alignment implemented to reduce NCII propensity
- 10. Prompt-level filtering for named real individuals combined with intimate content requests
- 11. Generation request audit log maintained (request ID, timestamp, screening result, block reason)
- 12. Consent record management system implemented (for legitimate professional use cases)
Consent Framework (Items 13-17)
- 13. Consent collection process documented (explicit, freely-given, specific, informed)
- 14. Consent scope clearly described to subject at collection time
- 15. Consent records cryptographically signed and verifiable
- 16. Consent revocation mechanism implemented and technically enforceable
- 17. Consent records retained and producible on market surveillance request
Governance and Supply Chain (Items 18-22)
- 18. ToS and acceptable use policy explicitly prohibit NCII generation
- 19. Downstream API deployer agreements include NCII prohibition clause
- 20. Monitoring for primary actual use drift (NCII becoming dominant use case)
- 21. GDPR Art.9 assessment completed for image synthesis pipeline
- 22. National law assessment completed for all EU Member States where service is offered
Legal and Regulatory (Items 23-25)
- 23. Art.99(1) penalty exposure assessed (€35M or 7% global turnover)
- 24. ALD civil liability exposure assessed (rebuttable presumption of fault)
- 25. DSA Art.16 notice-and-action obligations assessed (if VLOP/VLOSE status applies)
Key Differences: Art.5(1)(l) vs. Existing Content Moderation Obligations
A common misunderstanding is that Art.5(1)(l) is simply a stricter version of existing content moderation requirements. It is not. The critical differences:
Art.5(1)(l) is a prohibition on the AI system, not on content: Existing content moderation rules (DSA, platform community standards) prohibit hosting NCII after it is generated. Art.5(1)(l) prohibits the AI system that generates it. This means the prohibition applies even if the generated content is never distributed.
Compliant content moderation ≠ Art.5(1)(l) compliance: A platform that has a zero-tolerance NCII removal policy and excellent notice-and-action compliance under DSA is still non-compliant with Art.5(1)(l) if it also offers a nudifier AI system on its platform, regardless of removal speed.
Technical safeguards do not cure a prohibited system: If a system is designed for NCII generation, adding a consent checkbox, age verification, or watermarking does not remove it from the Art.5(1)(l) prohibition. The prohibition is at the system level, not the output level.
Practical Implications for EU Developers and Operators
Scenario 1: You operate a dedicated nudifier service targeting adult content platforms. Under Art.5(1)(l), this system cannot be offered to EU users from December 2027. Planning now: either geo-block EU users (with the legal risks that entails for EU residents using VPNs) or shut down the service. National law may already impose liability.
Scenario 2: You operate a general-purpose image synthesis API used by many customers. Compliance requires: usage monitoring to confirm NCII is not the primary actual use, real-person + intimate content classifiers at inference time, explicit ToS prohibition, deployer agreement clauses, and audit logging. The "primary actual use" limb means you cannot ignore how your API is actually used by customers.
Scenario 3: You operate a professional video production tool with model consent contracts. If your actors provide written, informed consent for specific synthetic intimate imagery for defined professional purposes (e.g., stunt doubles, historical recreations), the consent exception may apply. You need documented consent processes, purpose limitations, and data retention policies aligned with GDPR Art.9.
Scenario 4: You operate a CSAM detection system that generates synthetic imagery for classifier training. The professional context exception likely applies, but requires strict governance: generation limited to classifier training purposes only, access restricted to authorized researchers, no distribution of generated imagery, and documented necessity assessment.
Summary
Art.5(1)(l) — introduced by the EU AI Act Digital Omnibus — creates an absolute prohibition on AI systems whose design or primary actual use is the generation of non-consensual synthetic intimate imagery of real individuals. The prohibition:
- Applies to providers, deployers, importers, and distributors across the EU market
- Carries the highest penalty tier: €35M or 7% of global annual turnover under Art.99(1)
- Runs alongside GDPR Art.9 liability, DSA Art.16 obligations, and national criminal law
- Includes a consent exception for explicit, specific, informed, freely-given consent
- Includes a professional context exception for medical, forensic, and artistic uses with strict necessity requirements
- Applies from December 2027 (Digital Omnibus enforcement timeline)
For most providers of general-purpose image and video synthesis AI systems, the key compliance obligation is not system prohibition but primary actual use monitoring — ensuring NCII does not become the dominant use case for your system through a combination of technical controls, ToS enforcement, and deployer due diligence.
See Also
- EU AI Act Art.5 Prohibited Practices: Developer Guide — The original eight prohibited practices under Art.5(1)(a)-(h) in force since February 2025
- EU AI Act Digital Omnibus: Deadline Extension and Compliance Timeline — The full Digital Omnibus package: scope, what changes, what does not
- EU AI Act Art.50 Marking CoP 2nd Draft: Two-Layer Transparency System — Art.50 marking obligations for AI-generated content including NCII scenarios
- EU AI Act Art.15 Accuracy, Robustness and Cybersecurity — Technical robustness requirements that intersect with NCII detection system design